[Backport] Security bug 327183408

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/5382202: Fix PaintImage deserialization arbitrary-read issue (cherry picked from commit 47e8386c97ac7a84a96866fbd35422b99a01de5a) Bug: 327183408 Change-Id: I09927fbae60b666aaa370e3aba01607cdb977a25 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5370455 Reviewed-by: Sunny Sachanandani <[email protected]> Commit-Queue: Peng Huang <[email protected]> Cr-Original-Commit-Position: refs/heads/main@{#1272930} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5382202 Auto-Submit: Peng Huang <[email protected]> Commit-Queue: Sunny Sachanandani <[email protected]> Cr-Commit-Position: refs/branch-heads/6261@{#1106} Cr-Branched-From: 9755d9d81e4a8cb5b4f76b23b761457479dbb06b-refs/heads/main@{#1250580} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/553301 Reviewed-by: Michal Klocek <[email protected]>
qt · Apr 10, 2024 · bf9f7b0 · bf9f7b0
1 parent 05f91b1
commit bf9f7b0
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/chromium/cc/paint/paint_op_reader.cc b/chromium/cc/paint/paint_op_reader.cc
@@ -1456,9 +1456,10 @@ inline void PaintOpReader::DidRead(size_t bytes_read) {
   // All data are aligned with PaintOpWriter::kDefaultAlignment at least.
   size_t aligned_bytes =
       base::bits::AlignUp(bytes_read, PaintOpWriter::kDefaultAlignment);
-  memory_ += aligned_bytes;
   DCHECK_LE(aligned_bytes, remaining_bytes_);
-  remaining_bytes_ -= aligned_bytes;
+  bytes_read = std::min(aligned_bytes, remaining_bytes_);
+  memory_ += bytes_read;
+  remaining_bytes_ -= bytes_read;
 }
 
 }  // namespace cc